[MXS-2494] MySQLAuth load users query doesn't check mysql.user's plugin column for MariaDB 10.1+ Created: 2019-05-15  Updated: 2020-08-25  Resolved: 2019-05-17

Status: Closed
Project: MariaDB MaxScale
Component/s: Authenticator
Affects Version/s: 2.2.21, 2.3.6
Fix Version/s: 2.2.22, 2.3.8

Type: Bug Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: markus makela
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MXS-1627 MySQLAuth loads users that use authen... Closed
relates to MXS-1693 In Maxscale 2.2.2 getting users with ... Closed

 Description   

When MaxScale connects to a backend that is running MariaDB 10.0 or below and it is configured to use MySQLAuth, it properly checks the "plugin" column of mysql.user when determining which database users to load:

https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.6/server/modules/authenticator/MySQLAuth/dbusers.cc#L48

However, the queries for MariaDB 10.1 and MariaDB 10.2+ do not check the "plugin" column of mysql.user:

https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.6/server/modules/authenticator/MySQLAuth/dbusers.cc#L57

https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.6/server/modules/authenticator/MySQLAuth/dbusers.cc#L86

As a consequence, the MySQLAuth authenticator can load user accounts that use authentication plugins like pam, unix_socket, gssapi, etc., which MySQLAuth can't actually support.

In the best case scenario, this can just fill up MaxScale's MySQLAuth user database with useless junk.

In the worst case scenario, this can cause subtle bugs that may be able to let people log into MaxScale with no password when they shouldn't be able to. I think I may be seeing at least one bug like this.
Generated at Thu Feb 08 04:14:32 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.